Method and system for authentication of a service request

ABSTRACT

A method and a system is directed to authentication of a commission from a customer to a service provider. A set of randomly generated code words are stored in a memory circuit associated with a mobile-telephone subscription in a mobile telephone, as well as in a database together with an association to the mobile-telephone subscription. The method includes the steps of determining the identify of the customer, of identifying the mobile-telephone subscription on the basis of the identity of the customer, of retrieving a code word from the memory circuit, and of checking the presence of the code word in the code word set in the database that is associated with the mobile-telephone subscription, in order to thus authenticate the commission.

This application is the national phase under 35 U.S.C. § 371 of PCTInternational Application No. PCT/SE00/01842 which has an Internationalfiling date of Sep. 22, 2000, which designated the United States ofAmerica, the entire contents of which are hereby incorporated byreference.

TECHNICAL FIELD

The present invention concerns a method and a system for authenticationof a request from a customer to a service provider.

TECHNICAL BACKGROUND

A constantly recurring problem on the market in the case of purchasesfor which credit cards or bankcards are used is to establish theidentity of the card user. Usually, each card has a specific code, forinstance a four-digit number code, which in some stores may be inputtedin a terminal in conjunction with the purchase. However, this is not aparticularly attractive solution for an individual possessing a dozencards, each having its specific code. Restaurants, for example, oftenemploy the method of requesting the customer to sign a slip inconfirmation of the transaction, and the signature serves as apost-check, should any doubt arise about the payment. This means thatonly long after the event will the cardholder notice if an unauthorizedindividual has utilized his card without his knowing. It might evenhappen that the personnel of the restaurant fraudulently charge the cardwith several transactions during the period when they alone have accessto the card. It is often sufficient that a dishonest person gets hold ofthe number of the card to enable him to use the card on a lateroccasion.

According to prior-art technology intended for situations wherein acustomer has recurrent contacts with e.g. a bank, the customer isequipped with a list of codes hidden by a rub-off film. The bank hasaccess to the same list, which may be stored e.g. in the bank computersystem. Each time the customer requests a transaction, for instance bytelephone, he exposes one of the code number by rubbing off the film andthen discloses the exposed number to the bank. The number is comparedagainst the list in the bank, and a match ensures that the customer isthe person he claims to be, or at least is in possession of the rub-offlist in question.

According to prior-art systems devised to provide secure transactionsfor instance on the Internet, the user must have access to a smallelectronic device at the time of the transaction. Codes are exchangedbetween the computer and the electronic device in order to ensure thatthe user actually has access to the electronic device. This technologyis employed above all in conjunction with banking services on theInternet when a customer uses the service comparatively often.

The solution involving the individual-related electronic device does,however produce two problems:

In the first place, it is possible for a skilful expert to copy theelectronics, for example the ROM memory, of an electronic device towhich he has access albeit briefly. The electronic device may then bereturned to the owner who suspects no mischief. From then on, there isno possibility for the computer system to ascertain whether a request ismade by the owner or the dishonest person.

In the second place, an electronic device is specific to each serviceprovider, which means that a user of several services must carry withhim several electronic devices. Consequently, there is a risk that hehas forgotten the electronic device that is required for the occasion.In addition, it reduces the user's chances to keep an eye on allelectronic devices, and a dishonest person can easily use a stolendevice or copy a “borrowed” device before the user has had time to missit.

When credit cards are used for payment over the Internet, generally onlythe number of the credit card serves as the authenticity check. It ispossible to encrypt the credit card number, but if the encrypting codeis cracked, a dishonest person could use the card comparatively freelyuntil the time when the user receives a bill, usually at the end of amonth. Electronic devices of the kind described above could of course beused to increase security, but the problems related to copying of theelectronics of the device and the need for several devices do, of courseremain.

Some providers of services offer systems on the Internet, according towhich a person must first register as a customer and only then is heallowed to make purchases using his credit card. Like the systeminvolving the electronic devices, these systems suffer from thedisadvantage that they are specific to each service provider, making theuser's life very complicated as he has to have contact with severalservice providers.

Other common services for which authentication of a user's authorizationis needed are for logging in into computer systems and admittance intosecurity-classified premises. These systems are based almost exclusivelyon the presentation of a user ID in conjunction with a code or apassword, which in some systems are changed according to predeterminedroutines, or on security pass cards and an associated code. Generallyspeaking, the fact is that in our society a multitude of codes existswhich it is difficult for the individual to remember. He might thereforebe tempted to write down the codes somewhere, which reduces security.

The combination of disclosure of a code and an electronic device, whichhas to be physically available, improves security but at the cost ofrequiring several devices. Consequently, this technology hardly presentsa universal solution to the problems outlined above.

There is therefore a need for a uniform system that might be used withseveral types of service requests and that allows the authenticity ofthe customer or user to be verified in a simple manner.

Definitions

In the following description, a number of expressions will occur, whichare defined as follows.

By the expression “commission” is to be understood generally a servicethat a person wishes to be rendered by a provider. For example, acommission could be a financial transaction delivered by a bank orsimilar establishment, but a commission could equally well be a requestfor admission into a building or for log-in into a computer system. Toorder such a commission is referred to as a “service request”.

By the expression “service provider” is to be understood both thecompany carrying out the commission (such as a bank, a credit cardcompany or a security company) and the equipment used to implement thecommission (such as a door lock, an automatic teller machine or acomputer system in log-in situations).

The “customer” is the individual requesting the commission from theservice provider, and in the following description, the customer and theservice provider are also users of the method and the system inaccordance with the invention.

By the expression “database” is to be understood the data-storage memoryunit as well as the software processing volumes of data and executingoperations for instance for the purpose of comparing volumes of data.

By “mobile telephone” is to be understood herein a portable telephone,such as a cellular telephone (e.g. GSM) or the like. The expressionnaturally includes any portable telephones that may be developed in thefuture.

SUMMARY OF THE INVENTION

A purpose of an embodiment of the present invention is to solve at leastone of the problems outlined above and/or to make it possible tosatisfactorily authenticate a customer requesting a service.

A purpose of an embodiment of the invention is to make it possible toauthenticate a customer requesting a service, such as by means of auniversal method that may be made use of by several service providerswithout the provider requiring specific equipment, for example.

These purposes and/or other purposes are obtained in accordance with theteachings of embodiments of the invention by means of a method and/or asystem.

In accordance with an embodiment of the invention, two identical codeword sets are provided for each customer, one set being stored in amemory circuit in a mobile telephone and the other one being stored in adatabase. Authentication is performed by identification of themobile-telephone subscription, extraction of a code word from the memorycircuit, and the code word is checked against that code word set in thedatabase that is directly or indirectly associated with themobile-telephone subscription. The relative order of the aboveoperational steps could, of course, be different; for example, the codeword could be extracted from the memory circuit prior to identificationof the mobile-telephone subscription.

One advantage of the method and system according to an embodiment of theinvention compared with prior-art technology is that the code words areof a use-once-only character combined with the fact that no predictablealgorithm is used to derive the next code word. To gain knowledge of thecode words in a set requires that the memory circuit of the mobiletelephone be actually physically stolen or else copied electronically.

In addition, the method and the system according to an embodiment of theinvention may be used by an unlimited number of service providers. Theonly condition required of the service provider is possession ofequipment by means of which he is able to establish connection with thedatabase and transfer the code word and the identity, and to receive theresults of the authentication. In addition, this means that by blockinghis mobile-telephone subscription in the database, the user may easilyblock all services that make use of the system. One alternative is thatthe service provider himself owns the database or a subset thereof.

An additional advantage is that the system may be used completely inparallel with and independently of existing security systems. Thus, eachservice provider may choose on his own whether he wishes to join thesystem and thereby improve the security of his existing system.

Preferably, the code word is retrieved from the memory circuit in apredetermined order, which improves the security of the authenticationfurther. Not only is a check made to establish whether or not the codeword is included in the code word set that is associated with the statedidentity, but also a check is made as to whether the code word is thecorrect one within the set.

In the memory circuit, it is possible to indicate when a code word hasbeen used, and a similar indication may be made in the database. Thispossibility ensures that the memory circuit and the database agree as tofrom where in the predetermined sequence that the next code word is tobe extracted. Consequently, the memory circuit and the database areprevented from getting “out of phase”. This system may be equaled to thesituation, wherein the customer carries on him a list of code words thatare hidden by a rub-off coating. To use a code word, the customer needsto expose it by rubbing off the coated and the service provider exposesthe corresponding hidden code word from his list in the same manner andcompares the two. In order for the customer to be accepted, the correctlist must be used, and in addition, the correct code word on the list.

One consequence of this procedure is that a dishonest individual, whohas secretly gained access to a person's code word set, for example byhaving copied the memory circuit by electronic means, will only be ableto use the memory circuit, if the person has not already made a requestand in conjunction therewith used the next code word. Should thedishonest individual actually succeed in accomplishing a request, thefraudulent action will be revealed when next the person is to make arequest, since the code word he then indicates will not be accepted. Themobile subscription will then be blocked, and the damage is minimized.This should be compared with the situation according to prior-arttechnology, when a security device, copied secretly, may be used by adishonest individual until the owner receives an irregular accountstatement or similar information.

The step of identifying the mobile-telephone subscription preferablyincludes the steps of determining the identity of the customer, andbased on the identity of the customer, identifying the mobile-telephonesubscription. The identity of the customer may consist of suitable data,such as the personal identification number, a credit card number or amobile-telephone number. The concept “identity” in this case actuallyonly indicates the existence of a direct connection to an individual,and the data representing the identity might be exchangeable. Forinstance, the identity data from the customer to the service providercould be supplied in the form of e.g. the number of a bank card or asecurity pass card together with the associated code, or a user IDtogether with an associated code, and from the service provider to thedatabase in the form of a mobile-telephone number or a predetermined IDnumber. However, the database must be able to associate the receivedidentity data with a predetermined code word set, normally via themobile-telephone number, in order thus to be able to check that thegiven code word has been retrieved from the correct memory circuit.

In accordance with a preferred embodiment, a request is sent to thecustomer to state a code word. The customer thus can request a servicein a conventional manner, whereupon the service provider, as anadditional security measure, demands a code word, which the customerretrieves from the mobile telephone. Preferably, the service provider inthis case is in possession of information regarding which ones of itscustomers are connected to the system in accordance with the invention,and as the case may be, sends an inquiry to the database. The databasethereafter requests that the customer state a code word.

The request may be forwarded to the mobile telephone via thetelecommunication network, and the code word may be transferred from themobile telephone to the database via the telecommunication network.Preferably, the customer gives his acceptance of transmission of thecode word by pressing suitable keys on the mobile-telephone keypad.Because in this manner two separate communication routes are made useof, on the one hand a route between the service provider and thedatabase and on the other between the database and the mobile telephone,security is improved additionally. A dishonest individual, who hascaught and distorted information along the first communication route,has no possibility of predicting which mobile-telephone subscription orbase station will be used as the next step of the authenticationprocess.

A request forwarded to the mobile telephone, for example in the form ofan SMS message or the like, may contain information on the transaction.This may be advantageous, for example in a situation when the card hasbeen swiped through the card reader and has been accepted by the cardcompany, but when the transaction amount has not yet been established.When the entire authentication process has been concluded, a dishonestindividual could then state an erroneous amount, thus charging theaccount of the customer with too high an amount. By means of an SMSmessage as indicated above the fraud would be detected by the customer,who thus is informed of the fraudulent request to his mobile telephoneand then is able to deny acceptance of the transaction.

The fact that the mobile telephone is contacted directly gives the usera possibility of detecting a fraudulent action as it is beingperpetrated. He can then block the mobile-telephone subscriptionimmediately, or block the card or the service exposed to the fraud. Letus assume that someone has stolen or copied a person's credit card andin addition has succeeded in obtaining the next code in that person'smemory circuit. When the card is being used and a transaction isaccepted by the database, a message is sent to the person's mobiletelephone, whereupon the person is apprised of the fact that someone hasused one of the code words in the memory circuit. Another possibility isto delay the request for a code word to the customer for a predeterminedlength of time, or to make use of two confirmations, spaced apart intime. This procedure would prevent a dishonest individual from using amobile telephone, which is later returned to the owner, without theowner being aware thereof. The length of the delay may be adapted toensure that the owner of the mobile telephone will have time to miss itand block it before a code-word request is sent to the mobile telephoneand the order thus confirmed.

At the same time, this method permits a customer to allow a third personto use the customer's card for a particular service, for example to buysome merchandise. Irrespective of his whereabouts, the customer isinformed of the purchase on his mobile telephone, and makes the finalconfirmation via his mobile telephone.

Particularly in the case of service requests via the Internet, it isadvantageous that a request from the database or the provider of theservice is made directly to the mobile telephone, since allInternet-transferred information is accessible to others to a larger orsmaller extent. An SMS message made to the customer's telephonetherefore is an excellent acknowledgement of the correctness of thetransaction.

In accordance with another embodiment of the invention the identity ofthe customer and the code word retrieved from the memory circuit aretransferred to the service provider, the mobile-telephone subscriptionassociated with the customer is identified by the service provider, andthe identities of the code word and the mobile-telephone subscriptionare transferred to the database by the service provider. This methodallows the customer to transfer, directly in conjunction with therequest, his identity as well as a code word to the service provider.The identification of the mobile-telephone subscription is then effectedeither by the service provider or by the database.

In accordance with a further embodiment of the invention a second codeword is retrieved from the memory circuit and transferred to thedatabase in order to additionally verify the authenticity of therequest. The code words of the set may be associated with one another ingroups comprising different numbers of code words, to be used fordifferent types of service requests of different security levels.

The first code word may be transferred from the customer to thedatabase, perhaps via the service provider, whereupon the databaseissues a request to the customer to state a second code word, andfinally, the second code word is transferred from the customer to thedatabase. The request to the customer may be effected in the same way asin the case of the request described above. One possibility thus is thatthe customer receives two successive requests to the mobile telephone totransfer a code word. Another possibility is that the customer firststates a code word directly in conjunction with making his request andthereafter is asked to state an additional code word. Obviously, severalother possibilities exist, and in particular the PIN code of the mobiletelephone may be made use of as one means of increasing authenticationsecurity.

According to one embodiment of the invention, also position dataassociated with the mobile-telephone subscription are stored in thedatabase. In the authentication process, the memory circuit is located,and the position data received may be compared with the position datastored in the database. This method may be used to geographicallyrestrict the area within which the customer can effect certain types ofservice requests. For example, purchases above a certain amount may belimited to a few, predetermined locations, which increases securityfurther. This geographic check can also be applied for logging-in into acomputer system, which perhaps is allowed only from the work premises orfrom home. Alternatively, position data in the database could be an IPaddress, allowing log-in processes or Internet transactions to berestricted to a specific computer unit, without such information beingavailable to the service provider or anywhere on the Internet.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be described in more detail in the followingwith reference to the accompanying drawings, which for exemplifyingpurposes show preferred embodiments of the invention. In the drawings:

FIGS. 1 a-b show two code word sets in accordance with the invention,

FIG. 2 shows a mobile telephone in accordance with the invention,

FIG. 3 shows a database in accordance with the invention,

FIG. 4 shows the manner of retrieval and storage of the code-word setsof FIG. 1,

FIGS. 5 a–e show five different preferred embodiments of the methodaccording to the invention, and

FIG. 6 illustrates the method in accordance with the invention in a moredetailed view.

DESCRIPTION OF PREFERRED EMBODIMENTS

FIGS. 1 a–b show two examples of a code word set 1 consisting of aplurality of codes 2 in the form of four-digit or six-digit numbercombinations. These number combinations are extracted at random and haveno deducible relationship, neither as to their composition nor as totheir sequence. The codes may be arranged in groups 3 containing two orseveral codes 2 in each group.

Since each code in itself is entirely independent of the others, thereis nothing to prevent one combination of numbers to appear several timesin the same set, or even within the same group.

The code-word set 1 is associated with an identity 4, which is directlyor indirectly connected with a mobile-telephone subscription. In theshown example, the identity consists of a mobile-telephone number 5.

The mobile telephone 10, shown schematically in FIG. 2, is equipped inthe conventional manner with a keypad 11, a display 12, and areceiver/transmitter 13. The mobile telephone also has a memory circuit15, for example a SIM card or similar smart card, which contains data 16pertaining to the mobile-telephone subscription. For example, a SIM cardmay comprise information on the telephone number of the subscription andon how much credit remains in the customer's account with the mobileservice provider. In accordance with the invention, the memory circuit15 is also provided with a code word set 17 that is associated with thesubscription.

The SIM card may be provided with a subscription ID and a code word setbefore being delivered to a retailer under conditions of extremesecurity, for example in the form of a seal of some kind. The customer,who buys or in some other way gets hold of the SIM card checks that theseal has not been violated and thereafter arranges the SIM card in hismobile telephone, which allows him to use the telephone.

In addition, the mobile telephone shown in FIG. 2 comprises means, suchas software 18, devised to retrieve from the memory circuit 15 a codeword from the code word set 17, and to transmit the code word by meansof mobile-telephone communication, for example in a SIM message.Software having this function may be developed by the expert in thefield. The software 18 may also transmit a code word via a communicationport or an IR port. In addition, a retrieved code word may be shown onthe display 12.

Furthermore, the software 18 is arranged to receive a code word and tocompare the code word with the code word set in the memory circuit. Thecode word may be inputted by means of the keypad 11, or else be receivedby means of mobile-telephone communication directly to the receiver 13of the mobile telephone, for example through reception by the mobiletelephone of a SMS message.

Preferably, the mobile telephone is arranged to be set in a dormantstate, wherein it does not receive any telephone calls but wherein it iscapable of receiving and transmitting SMS messages. This function may bedevised by an expert in the field.

In the database 21 shown in FIG. 3, a plurality of code-word sets 22 arestored, each one having an identity 23 that is associated with amobile-telephone subscription, the corresponding SIM card of whichcomprises an identical code word set.

In addition, each set 22 can be associated to one or several positionindications 24. The position indications could for instance be locationswhere the customer has indicated that he wishes to be able to make acertain type of requests.

The database 21 is furthermore provided with communication means 25 ableto receive a question and to provide the results of the authenticationprocess. For example, the communication means 25 could be a modemarranged to communicate with the service provider, for example toreceive a code word and an identity from the service provider, and totransmit confirmation to the service provider that the authenticity ofthe commission is verified. The communication means 25 could also bearranged to communicate with the mobile telephone via themobile-telephone network, for example by way of SMS messages.

The database 21 is also provided with means, preferable software 26,arranged to perform searches in the database and to verify e.g. that aspecific code word exists in the code word set 22 in the databaseassociated with a predetermined identity 23.

FIG. 4 illustrates how code-word sets 1 are formed and stored.

In a completely independent computer system, combinations of numbers arecreated at random in accordance with algorithms that cannot be predictedfrom the outside (Step 31). This procedure ensures that nobody canpredict which code words are included in a particular code word set, andcan easily be devised by an expert in the field. The combinations ofnumbers are arranged in groups and sets (Step 32), in accordance withalgorithms, which in themselves may be allowed to be known outside thecomputer system. In addition, the computer system is provided with aseries of mobile-telephone numbers which are supplied by amobile-telephone service provider, and which associate each code wordset with a particular telephone number (Step 33).

The sets are then distributed (Step 34) to companies that equip the SIMcards with data, where each code word set is stored on a SIM card (Step35), the latter either prior to or after the storage having beenattributed to the mobile-telephone number associated with themobile-telephone number.

In addition, the sets are also distributed (Step 34) to the database,where they are also stored (Step 35). The sets may be stored onaccess-protected data carriers, such as coded and sealed CDs, which aredistributed in a safe manner, for example by means of couriers. If thecomputer system forming the sets is connected to the database, this partof the distribution may be effected safely electronically.

FIGS. 5 a–e illustrate generally five different varieties of the mannerin accordance with the invention of implementing the process ofauthenticating a request from a customer 41 to a service provider 42. Inall cases, the customer 41 has access to a mobile telephone 10 inaccordance with FIG. 2.

In accordance with the method of FIG. 5 a, the customer initially stateshis identity 43 to the service provider 42. Normally, he does this inconjunction with making his request, in which case he provides e.g. auser's ID, a credit card number, or other information allowing theservice provider to identify the customer.

The service provider possesses information on which customers areconnected to the system in accordance with the invention, and is able toassociate a mobile-telephone subscription with the identity of thecustomer. The service provider 42 sends a query to the database 21, andtransmits to the database 21 the identity of 23 of the mobile-telephonesubscription, usually in the form of a mobile-telephone number butpossibly in the form of another identification associated with themobile-telephone subscription. It should be understood that instead theidentity 43 of the customer could be transmitted to the database 21 andthe mobile-telephone subscription in question be identified by thedatabase.

The database thereafter sends a request 45 to the mobile telephone 10via the telecommunication network, for example an SMS message, or thelike. The message 45 contains particulars of the request, which areshown on the display 12, thus allowing the customer to check thecorrectness of the request. In the affirmative, the customer may confirmthe fact in any suitable manner, for example by pressing a particularkey on the keypad 11 twice. For example, the customer may receive amessage on his mobile telephone of the type reading “Credit cardpurchase $35 at Burger King. Press OK to confirm”, or “You are nowlogging-in into your workplace, Press OK to confirm”. The customer thenpresses the OK key. An additional confirmation step of the type “Are yousure Y/N” might be advisable as an extra check. The software 18 of themobile telephone then retrieves from the SIM card 15 the next, not yetused code 46 and transmits the latter from the mobile telephone 10 tothe database 21. Simultaneously, the transmitted code word is marked asused on the SIM card. The request 45 from the database could alsocontain a code word (not shown), which is checked by themobile-telephone software 18 against the code word set 17 in the SIMcard 15.

Another possibility is that the database 21 contacts the serviceprovider 42, who in turn asks the customer for a code word, which theprovider returns to the database 21.

As the database 21 receives the code word 46, the latter may be comparedwith the code word set 22 that is associated with the mobile-telephonesubscription. Should the check fail, for example because the code cannotbe found in the code word set in the database that is associated withthe mobile-telephone number, information of this fact is transmitted tothe service provider, who may refuse to perform the service, for exampleby refusing access to a computer system or stopping a transaction. Onthe other hand, if the check is positive, i.e. the stated code is thecorrect one, a go-ahead signal 47 is transmitted to the service provider42, who may then perform the service. At the same time, the code wordreceived is marked as being used up.

In accordance with the method shown in FIG. 5 b, the customer 41 statesa code word 4 in conjunction with giving his identity 43 as describedabove. For example, the customer 41 may read a code word 46 from thedisplay 12 of the mobile telephone 10 and transmit that word to theservice provider 42. Alternatively, a data transmission port 19 in themobile telephone may be used to transmit a code word to the serviceprovider.

The service provider then issues a query 44 to the database 21 and inaddition to transmitting the identity as described above, he alsotransmits the code word 46. The database 21 checks the code word asdescribed above and sends a go-ahead signal 47 to the service provider42.

The method shown in FIG. 5 c actually is a combination of the twoprevious methods. The customer 41 first states a code word 46′ as hemakes his request in accordance with FIG. 5 c and then receives arequest 45 for an additional code word 46″ in accordance with FIG. 5 a.

In order to further increase security, the software 18 may be arranged,in the case of certain requests, such as purchases above a predeterminedamount, to demand the user's PIN code as a condition for retrieval andtransmission of the code word. This arrangement means that a dishonestindividual who has got hold of a mobile telephone that is in theswitched-on state still has to know the owner's PIN code.

In addition, the position data stored in the database could be used toincrease security. The base station over which the mobile telephonecommunicates can be identified comparatively easily, and a comparisonwith the stored position data may be performed. Likewise, it may bepossible to equip the mobile telephone with a GPS navigator or similarmeans, allowing the mobile telephone to make his position known withgreat accuracy. The position check could in this case be effected in twosteps, the first one roughly with respect to the base station and thesecond one more precisely, with respect to longitude and latitude.

The method shown in FIG. 5 d could be regarded as a variety of themethod shown in FIG. 5 b. In this case, the database 21′ is owned by theservice provider 42, for which reason no external communication isrequired from the service provider 42. The database 21′ could be asubset of a larger database 21. This method could be used for instancewhen a person is to be given access to a protected object, such as acar. The car is equipped with a database 21′ comprising a number of codewords, and the user may be simply identified by means of his mobiletelephone.

The method shown in FIG. Se is very similar to the method of FIG. 5 b,but the check vis-à-vis the database 21 is effected only after somedelay 48. If the mobile telephone subscription does not satisfactorilymanage the credit check and ID check, the mobile telephone is blocked inthe service-provider system. Examples of use of this method are paymentof public-transport fees and parking fees.

Further varieties and combinations of these methods are possible withinthe scope of the invention. The number of code words exchanged betweenthe mobile telephone and the database may vary, depending on the desiredsecurity level.

In the following, some examples will be given of situations, wherein anauthentication method in accordance with the invention is particularlysuitable.

Restaurants

A guest who has dined in a restaurant requests from his credit cardcompany or the like the service of paying the restaurant bill, usingfunds available in the guest's own account or in the account of theaccount card company (credit card). The card company thus is the serviceprovider and the guest the customer.

In the conventional manner, the credit card is handled by the restaurantpersonnel, who check the card for verification of its number, itsvalidity, whether funds are available in the account, that the card isnot blocked, etc. In this manner, the card company receives informationon the identity of the customer, for example through the unique cardnumber. In accordance with a commonly used technology, the card isswiped in a card reader, which via a modem contacts the card company andchecks the transaction.

In a register, the card company has stored data showing that thecustomer is connected to the system in accordance with the invention,and identifies the telephone number of the mobile-telephonesubscription. It is transmitted to the database, which thereaftercontacts the mobile telephone via the telecommunication network andreceives a code word (FIG. 5 a).

Alternatively, the customer uses his mobile telephone in order to statea code word as he makes his request (FIG. 5 b). The code word may bedisclosed to the restaurant personnel, who contacts the card company viathe card terminal and transmits the code, or else it may be transmittedfrom the mobile telephone to the card terminal by means of some kind ofcommunication means, such as an IR port.

When the authenticity of the code word has been verified by the cardcompany, a go-ahead signal 47 is sent to the restaurant, and a receiptis printed.

Internet Transactions

The method is similar when a computer user wishes to make a transactionon the Internet or the like, for example transfer funds from one of hisbank accounts, or make purchases using a credit card. In this case, thecomputer user is the customer requesting a service in the form of atransaction. The service provider could be a card company as above, orthe customer's own bank.

In this case, the identity of the customer is transmitted by input offor example a personal identification number and the associatedpassword, or a credit card number or the like. Inputting may be effectedin a screen display on a WWW page, and the contents of the page be sentto the owner of the page through pressing a key.

If a method in accordance with FIG. 5 a is used, the process isidentical with that of the example described above, and within minutesthe customer receives an SMS message on his mobile telephone and is ableto confirm the request by pressing suitable keys. If a method inaccordance with FIG. 5 b is used, according to which the customer readsa code word from the display of the mobile telephone, the code word maybe transmitted in the same manner as the identity, either on the sameWWW page or on a following page appearing immediately after acceptanceof the identity.

Log-in/Passing-in

Another category of services that is suitable for authentication checksin accordance with the invention is requests for log-in into a computersystem. In this case, the customer is the person requesting to accessthe system, the service is admittance of the person into the computersystem or the like, and the service provider is the company or computersystem responsible for security.

The customer states his identity when logging in according to prior-arttechnology, and in conjunction therewith he enters for example a user IDincluding a password. The service provider can then contact thedatabase, which demands a code word directly from the mobile telephonein accordance with FIG. 5 a. Alternatively, the customer may be given apossibility in accordance with FIG. 5 b to indicate, via the keypad, acode that has been read on the mobile-telephone display.

The procedure of allowing physical passing into premises or an area issimilar to that of log-ins. For example, the identity of the customercould in this case be provided by swiping a security-pass card through acard reader or inputting a code on a door lock.

Example of a Detailed Chain of Events for Credit card Payments

With reference to FIG. 6, a more detailed description will be givenbelow of a possible chain of events necessary to allow a legitimatecustomer to implement a request with a high degree of security. If thesecurity of the request is not classified to be of the same high degree,certain operational steps could be excluded from the chain of events.Preferably, it is the computer of the service provider that determinesthe security classification of the request and whether or not a tipshould be given at the point of sale. In this manner, the rest of thechain of events is controlled based on the security classification andon whether or not a tip should be given.

The customer 41 hands over a credit card 51.

b) The credit card is swiped through the card reader terminal 52 and theamount to be paid (inclusive of wardrobe fees and the like, if any) isinputted into the terminal. The terminal 52 generates a message of thedesired payment, comprising e.g. the credit card number, the number ofthe card terminal and the amount to be paid.

c) The card terminal sends the message generated in (b) to the computerof the credit card company (service provider 42).

d) The computer of the credit card company checks the transaction forsufficient credit, and if the check is positive, the computer generatesa message concerning the transaction (seller and amount, and so on),stating the number of the request, the security classification of therequest, whether a “tip” should be given, and the mobile-telephonenumber of the credit card holder.

e) The computer of the credit card company transmits the messagereceived in (d) to the database 21.

f) The database 21 retrieves the next not-used code word, checks withthe mobile operator 54 concerned whether the mobile telephone is on anaccepted location, and generates a message, demanding confirmation ofthe request. The message comprises e.g. data as to the seller, thenumber of the request, security classification, whether tips areexpected, and the next non-used code word (576362).

g) The database 21 transmits the message that was generated in (f) tothe customer's mobile telephone 10.

h) The mobile telephone checks the security classification concerned andwhether a tip-payment situation exists. Based on the results of thecheck, the mobile telephone selects the routine to be followed. Themobile telephone presents the query on the display and asks forconfirmation. The customer presses the OK key for confirmation. In casesof high-security classification, the mobile telephone requires that thecustomer inputs his PIN code or a corresponding pass word that only thecustomer knows. If a point of sale is involved (such as a restaurant)where tips are customary, a question will appear on the display of thecustomer's mobile telephone as to whether the amount should beincreased, and the customer may then input a new, higher amount. Themobile telephone asks the customer to again confirm and if the customerdoes so, either one or two messages are generated, depending on thesecurity classification. Both messages state e.g. the number of themobile telephone, the number of the request, the seller, the amount, thefinal amount (in the case of a tip), the first non-used code word(576362) and the following non-used code word (805209) and, if themobile telephone has an integrated GPS receiver, also the GPSco-ordinates are given. The mobile telephone registers the two codewords as used up. The entire step (h) is processed by the software 18 ofthe mobile telephone 10, and this software may be developed by an expertin the field.

The mobile telephone 10 transmits the message generated in (h) to thedatabase 21.

j) The mobile telephone 10 transmits the message generated in (h) to thecomputer 42 of the credit card company.

k) The database 21 checks the message received from the mobile telephoneand if both code words are correct, an ID confirmation message isgenerated, which includes both code words, and the two code words areregistered as being used up.

1) The data base 21 sends the ID confirmation message generated in (k)to the computer 42 of the credit card company.

m) The computer of the credit card company checks the message from themobile telephone (j) and the ID confirmation message from the database(l) and executes suitable comparisons. If all data are accepted, aprinting order is generated, which comprises suitable information, suchas seller, buyer, amount, credit card number, number of request, date,time and verification number.

n) The printing order is transmitted to the card terminal 52.

o) The card terminal prints the transaction receipt 53.

p) The credit card 51 is returned to the customer, who signs thetransaction receipt 53, keeping the copy while the seller keeps theoriginal.

The following steps represent the customer's experience of the chain ofevents described above.

-   -   The customer hands over his credit card in the usual way.    -   On the display of his mobile telephone, the customer receives        information on the payment, and he and confirms the commission        by pressing two keys. When the commission is considerable (high        security classification), the customer has to input his PIN code        or other similar password between the first and the second        confirmation, and if needed he adjusts the amount, i.e. he gives        a tip.    -   The customer signs the transaction receipt and keeps the copy,        in the customary manner.

Additional steps: By pressing keys twice, the customer confirms thepayment and also inputs, if required, the PIN code and increases theamount if a tip is to be given.

Steps that disappear: The customer need not show any identificationpapers.

The following sequence of steps represents the seller's experience ofthe above chain of events.

-   -   The seller accepts the credit card and runs it through the        reader of the card terminal, as usual.    -   The seller inputs the amount via the card terminal as usual.    -   The seller tears off the transaction receipt as usual.    -   The seller makes sure that the customer signs the receipt of the        transaction and keeps the original as usual.

Additional steps: None

Steps that disappear: The seller does not have to ask for identificationpapers, check the latter or register the number of the identificationpapers.

Possible Varieties of Locations Where Rapid Payment is Essential

In case of payment of smaller amounts in shops, kiosks, petrol stations,and the like, the confirmation might not necessarily have to be effectedover the mobile network, since this procedure might take about a minutelonger. Instead, the IR data transmission port 19 of the mobiletelephone might be used. In this case, the card terminal is alsoequipped with a corresponding communication port (not shown) andsoftware, as well as with a display, should the cash register notalready have a display facing the customer. The communication portpreferably is located on the display unit or close to the latter.

According to this embodiment, the seller swipes the customer's creditcard through the reader, and inputs the amount, or receives it directly,for instance from the petrol pump that the customer has just used, i.e.in the manner in operation today. When this is done, the amount is shownon the display mentioned above, said display also requesting thecustomer to e.g. “Confirm payment by means of your mobile telephone”.The customer then directs his mobile telephone towards the display andreceives e.g. the name of the petrol station and the amount in question.By two confirmation key pressings on the mobile-telephone keypad, thefirst non-used code word is transferred to the card terminal and thedisplay may show e.g. “Password received”. From then on, everythingfunctions as it does today.

It could be said that the mobile telephone replaces the control keypadcommonly existing in many petrol stations, at least in Sweden. However,any person standing close by could make note of the code that is beinginputted, even if a screen is provided to make this more difficult.Should the person who just inputted his check code leave his card on thedesk, this might constitute a temptation to a dishonest individual. Sucha person could, for instance block the credit card from view by puttinghis hand over it and let it slide down into his pocket. The dishonestindividual could then fill the family cars with petrol before therightful owner notices that his credit card is missing, for instancewhen a week later he again intends to fill his car with petrol.

A consequence of the invention is that a code word is never used morethan once, and in addition that normally nobody, neither the customernor any one else, will ever set eyes on any code words whatsoever.

CONCLUSION

It should be understood that a number of varieties of the embodimentsdescribed above are possible within the scope of protection of theappended claims. For example, a large number of alternativeauthentication methods can be used with a system in accordance with theinvention. In the same manner, equipment different from the onedescribed herein could be used to implement the method in accordancewith the invention.

1. A method of authenticating a commission from a customer to a serviceprovider, comprising the steps of forming a plurality of sets ofrandomly generated code words; storing one of said plurality of codeword sets in a memory circuit of a mobile telephone, which circuit isassociated with a mobile-telephone subscription; storing an identicalcode word set in a database together with an association to saidmobile-telephone subscription; and at the time of requesting thecommission, identifying said mobile-telephone subscription, retrievingat least one code word from the memory circuit and checking the presenceof said code word in the code word set in the database that isassociated with said mobile-telephone subscription, therebyauthenticating the commission.
 2. A method as claimed in claim 1,wherein the code word is retrieved from the memory circuit in apredetermined sequence known to the database.
 3. A method as claimed inclaim 2, further comprising the step of registering, in at least in oneof the memory circuit and the database, when a code word has been used,thus ensuring said predetermined sequence is followed.
 4. A method asclaimed in claim 1, wherein the step of identifying the mobile-telephonesubscription comprises the steps of determining the identity of thecustomer, and, based on the identity of the customer, identifying themobile-telephone subscription.
 5. A method as claimed in claim 1,wherein a request to provide a code word is sent to the customer.
 6. Amethod as claimed in claim 5, wherein the request is sent to the mobiletelephone via the telecommunication network.
 7. A method as claimed inclaim 5, wherein the code word is transmitted from the mobile telephoneto the database via the telecommunication network.
 8. A method asclaimed in claims 1, wherein the identity of the customer and the codeword retrieved from the memory circuit are transferred to the serviceprovider, the mobile-telephone subscription associated with the customeris identified by the service provider, and the code word and theidentity of the mobile-telephone subscription are transferred to thedatabase by the service provider.
 9. A method as claimed in claim 1,wherein a second code word is retrieved from the memory circuit and istransferred to the database to further authenticate the commission. 10.A method as claimed in claim 9, wherein the code words in the set areconnected to one another in groups, said first and said second codewords being included in the same group of code words.
 11. A method asclaimed in claims 9, wherein said first code word is transferred fromthe customer to the database, the database sends a request to thecustomer to provide said second code word, and said second code word istransferred from the customer to the database.
 12. A method as claimedin claim 1, further comprising the steps of associating at least oneposition indication with the mobile-telephone subscription and storingsaid indication in the database, and, each time a commission isrequested, establishing the location of the memory circuit and checkingthe position indication thus obtained against said position indicationstored in the database.
 13. A method of authenticating a commission froma customer to a service provider, wherein a set of randomly generatedcode words has been stored in a memory circuit associated with amobile-telephone subscription in a mobile telephone as well as in adatabase together with an association to said mobile-telephonesubscription, comprising the steps of: establishing the identity of thecustomer; identifying the mobile-telephone subscription on the basis ofthe identity of the customer; retrieving a code word from the memorycircuit; and checking the presence of said code word in the code wordset in the database that is associated with said mobile-telephonesubscription, in order to thus authenticate the commission.
 14. A systemfor authenticating a commission from a customer to a service provider,comprising: a mobile telephone having a memory circuit associated with amobile-telephone subscription; means to enable the customer to disclosehis identity to the service provider; a database; a set of randomlygenerated code words, said set stored in the first place in the memorycircuit and in the second place in the database, where it is associatedwith the mobile-telephone subscription; means to identify themobile-telephone subscription based on the identity of the customer;means to enable the customer to retrieve a code word from the memorycircuit and to transfer said code word to the database; and checkingmeans for checking that said code word is present in the code word setin the database that is associated with said mobile-telephonesubscription, in order to thus authenticate the commission.
 15. A systemas claimed in claim 14, wherein said checking means comprises acommunication means for communication between the database and themobile telephone.
 16. A method as claimed in claims 2, wherein theidentity of the customer and the code word retrieved from the memorycircuit are transferred to the service provider, the mobile-telephonesubscription associated with the customer is identified by the serviceprovider, and the code word and the identity of the mobile-telephonesubscription are transferred to the database by the service provider.17. A method as claimed in claims 3, wherein the identity of thecustomer and the code word retrieved from the memory circuit aretransferred to the service provider, the mobile-telephone subscriptionassociated with the customer is identified by the service provider, andthe code word and the identity of the mobile-telephone subscription aretransferred to the database by the service provider.
 18. A method asclaimed in claim 6, wherein the code word is transmitted from the mobiletelephone to the database via the telecommunication network.
 19. Amethod as claimed in claims 10, wherein said first code word istransferred from the customer to the database, the database sends arequest to the customer to provide said second code word, and saidsecond code word is transferred from the customer to the database.
 20. Amethod as claimed in claim 2, wherein a request to provide a code wordis sent to the customer.